Re: [EXTERNAL] Re: [PATCH] Support using "all" for the db user in pg_ident.conf

Jelte Fennema-Nio <postgres@jeltef.nl>

From: Jelte Fennema <postgres@jeltef.nl>
To: Michael Paquier <michael@paquier.xyz>
Cc: Jelte Fennema <Jelte.Fennema@microsoft.com>, "isaac.morland@gmail.com" <isaac.morland@gmail.com>, "pgsql-hackers@lists.postgresql.org" <pgsql-hackers@lists.postgresql.org>, Nathan Bossart <nathandbossart@gmail.com>, Andrew Dunstan <andrew@dunslane.net>
Date: 2023-01-16T10:53:57Z
Lists: pgsql-hackers

Attachments

> Still, I am having a few second thoughts about 0003 after thinking
> about it over the weekend.  Except if I am missing something, there
> are no issues with 0004 if we keep the current behavior of always
> replacing \1 even if pg-user is quoted?  I would certainly add a new
> test case either way.

Yes, 0004 is not dependent on 003 at all. I attached a new version
of 0003 where only a test and some documentation is added.

> Perhaps it would be simpler to use copy_auth_token() in this code path
> and always free the resulting token?

I initially tried that when working on the patch, but copy_auth_token
(surprisingly) doesn't copy the regex field into the new AuthToken.
So we'd have to regenerate it conditionally. Making the copy
conditional seemed just as simple code-wise, with the added
bonus that it's not doing a useless copy.

> In the code path where system-user is a regexp, could it be better
> to skip the replacement of \1 in the new AuthToken if pg-user is
> itself a regexp?  The compiled regexp would be the same, but it could
> be considered as a bit confusing, as it can be thought that the
> compiled regexp of pg-user happened after the replacement?

I updated 0004 to prioritize membership checks and regexes over
substitution of \1. I also added tests for this. Prioritizing "all" over
substitution of \1 is not necessary, since by definition "all" does
not include \1.

Commits

  1. Add description for new patterns supported in HBA and ident sample files

  2. Support the same patterns for pg-user in pg_ident.conf as in pg_hba.conf

  3. Track behavior of \1 in pg_ident.conf when quoted

  4. Store IdentLine->pg_user as an AuthToken

  5. Add tests for regex replacement with \1 in pg_ident.conf to 0003_peer.pl

  6. Rename some variables related to ident files in hba.{c,h}